Data Security Policy

LAST REVIEWED AND UPDATED SEPTEMBER, 2023

We take data security seriously, and Vind AI is committed to deliver a platform that meets the needs of our customers and the industry. Data security includes access control, authentication and authorization, how your data is secured against fraud and attacks, the physical security of hardware, and organizational policies and procedures. We want you to take full advantage of what web based software enables in terms of productivity and usability, which is why data security has top priority. 

We are cognizant that as of this time, we do not possess a SOC-2 or comparable certification. Please note that this absence does not reflect a lack of security rigor, but rather is indicative of our current phase of growth and maturity. In order to reinforce our commitment to safeguarding data and maintaining high standards of security, we meticulously select and use only third-party services that are compliant with SOC-2 and ISO2700x standards. For instance, integral components of our infrastructure, such as Amazon Web Services (AWS), GitHub, Auth0, and Ably, all meet these stringent standards, ensuring that they, too, embody our unwavering commitment to maintaining robust security standards.

1. Summary

The Vind AI platform safeguards customer data using a variety of mechanisms:

• Successful penetration test by recognized third party July 2023
• Customer data is secured in transit with SSL/TLS
• Customer data is encrypted at rest using AES-256 encryption, with backup
• Customer data is stored at Amazon Web Services (AWS) servers in EU (Ireland)
• Vind AI uses third party services only with the highest security certifications (SOC2 / ISO27001), including AWS, Auth0 and Ably
• Strong authentication and authorization controls are in place to logically separate data and verify access for individuals – verified by consultants
• Vind AI performs audits to code changes and the system architecture, and monitor the infrastructure to detect potential abuse
• Vind AI runs serverless, meaning that there is no continuously running server/cluster prone to attacks
• Access is given based on the principle-of-least-privilege both for our personnel and for our application services

2. Data Storage

Databases that persistently store customer data are hosted by AWS and located in the EU (Ireland), specifically in the eu-west-1 region. The data center in use is SOC 1, SOC 2 and SOC 3 compliant.

A server-side encryption is activated for all customer data in the data center, using AES-256 encryption standard, fully managed by AWS. Vind AI also ensures that backup strategies are in place, available at least 30 days back in time. Backups are fully managed by AWS, with point-in-time recovery enabled. This means there is little to no uncertainty in the quality of the backups. 

For information on AWS Security and Compliance, refer the following links:

• AWS Security and Compliance whitepaper
• AWS Data Centre Security

3. Data Protection

All data and communication with our services in AWS data centers are sent over HTTPS and encrypted in transit. Our APIs are well protected with authorization schemes, tested by third party consultants specializing in penetration testing. Data flows from the APIs to the data bases where it is encrypted at rest. Data from different Teams and Projects are logically separated.

4. Access Control

We have support for SSO with SAML and Azure AD/Entra ID. Read more about that here.

Vind AI uses token-based authorization, implemented with trusted tools and with best practices including all available measures to ensure safe operations. In order to access the system the user needs to be authenticated. The authentication process is handled by Auth0, a recognized 3rd party provider holding the highest certifications like SOC 2 and ISO27001. Once authenticated, the user is given a JWT-token which is valid for 10 minutes. The token contains user authorization information which is used in our authorizer systems which restricts access to data on either team level or project level. After 10 minutes, a refresh token is used to ask for a new JWT-token. This refresh token is only valid for the specific device, once, and we utilize the mechanisms of Auth0 to automatically detect if tokens are leaked – what Auth0 denotes as Refresh Token Rotation (RTR). Admin users can add and remove users from Teams and Projects – the access role will be updated within 10 minutes, ensured by the short-lived JWT tokens, and use of RTR.

5. Threat Detection

Vind AI implements measures at many levels to ensure that potential threats are detected:

• GuardDuty is managed by AWS monitors and protects AWS resources and workloads by continuously analyzing logs, events and network traffic. GuardDuty uses machine learning algorithms and AWS threat intelligence to identify malicious activity and provide actionable insights to help organizations detect and respond to security incidents more effectively.
• Continuous code scanning for dependency vulnerabilities in our code base on GitHub (SOC 2 compliant) using Dependabot. Vind AI has procedures to eliminate the potential risks reported.
• Continuous scanning of security risks using GitHub Advanced Security with CodeQL
• Our development team uses MacBooks, which come with built-in security features, and we adhere to a set of practices to identify and manage information security vulnerabilities. All machines are encrypted.

6. Security Configuration

6.1 Change management

We have several functions to ensure that any changes to our IT systems do not introduce new vulnerabilities. We use CodeQL and GitHub for code scanning (SAST). Changes to the application are also tested by peers during internal reviews before being released to production. We test the Vind application, support systems, backends and authorization system automatically using e.g. Checkly to detect and notify us about any issues with the system.

Every application undergoes a risk assessment. Each resource used by the application is scrutinized and potential attack vectors are assessed and minimized. This can include restricting access to specific sub resources (least privilege) to decrypting security tokens at runtime instead of storing them as environmental variables. The risk assessment is done continuously in order to reflect the assessment with changes to the application. Applications are run on a hardened host by default by AWS.

6.2 Incident response

In the event that a vulnerability is exploited, we have an incident response plan in place to quickly contain and rectify the issue. This includes communication plans to notify any affected parties as necessary. Vind implements the NIST Incident Response Framework which includes the following phases: 

• Preparation
• Detection and analysis
• Containment eradication and recovery
• Post-incident activity and reporting

6.3 Employee training

Our team takes a proactive, systematic approach to identifying and managing information security vulnerabilities in our IT systems. Here is an overview of our processes:

• Vulnerability Assessment: We use a variety of methods to identify potential vulnerabilities, including automated security tools and manual code reviews. We regularly perform threat modeling sessions to continuously protect and improve our platform
• Patch Management: We have a process in place to apply patches promptly to address known vulnerabilities
• Secure Coding Practices: Our team follows secure coding practices to minimize the introduction of security vulnerabilities during the development phase

New employees are introduced to our internal security routines for safe development, handling of confidential information, securing their laptops, use of password management tools and multi-factor authentication.

7. Privacy

Vind AI stores all personal information in compliance with GDPR. See our privacy notice for details here.

8. Disclaimer

This document is for informational purposes only and represents Vind AI’s current product offerings, which are subject to change. The responsibilities and liabilities of Vind AI to its customers are controlled by Vind AI’s agreements, and this document does not create any warranties, representations, contractual commitments, conditions, or assurances from Vind AI, its affiliates, suppliers, or licensors.